0

I am using aws ecs-cli up command and want to restrict the role/group of the caller to the least privilege by using specific permissions.

Is there a flag or way to test run a cli command to validate if all required permissions are availabale to the caller, rather than say iam:*?

Additionally, is there a way to limit the permissions to partial wild-card resource, for example, below I have set * not knowing the full name in advance, so could I add myecs-* for example, that would restrict the resource to some degree?

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1555577550000",
      "Effect": "Allow",
      "Action": [
        "iam:CreateRole"
      ],
      "Resource": [
        "*"
      ]
    }
  ]
}
art vanderlay
  • 2,341
  • 4
  • 35
  • 64

1 Answers1

0

To validate, if all required permissions are available to IAM users, groups or roles in your AWS account. Following are some of the options;

  1. Use Web-GUI based policy simulator from AWS.

  2. Use simulate-principal-policy aws cli command i.e. aws iam simulate-principal-policy. Furthermore, if you would like to cover custom-policy use aws cli command i.e. aws iam simulate-custom-policy .

  3. Use python based aws-iam-tester command.

You can use wild-card within your IAM policy statements for Resource or a NotResource. Please refer following reference about same;

  1. IAM JSON policy elements - Resource.

  2. This existing thread.

amitd
  • 1,497
  • 4
  • 11
  • thanks for the details answer @amitd. The policy simulator assumes that you already know the policies that are actioned as part of the CLI call. I did not see a way in either the GUI or python script to simulate a CLI action without knowing the list of calls made. Am I missing something? – art vanderlay Jan 27 '21 at 10:31